Rewterz Threat Advisory – CVE-2021-21999 – VMRC for Windows and VMware App Volumes privilege escalation
June 23, 2021Rewterz Informative Update – DirtyMoe Botnet Infects 100,000+ Systems in First Half of 2021
June 23, 2021Rewterz Threat Advisory – CVE-2021-21999 – VMRC for Windows and VMware App Volumes privilege escalation
June 23, 2021Rewterz Informative Update – DirtyMoe Botnet Infects 100,000+ Systems in First Half of 2021
June 23, 2021Severity
Medium
Analysis Summary
A recently discovered Bash ransomware piqued our interest in multiple ways. Upon investigating, we found that the attack chain is fully implemented as a bash script, but it also seems that the scripts are still under development. Most components of this attack mainly target Red Hat and CentOS Linux distributions; however, in some scripts, Debian-based Linux distributions are included as well. The worm and ransomware scripts also use the API of the messaging application Telegram for command-and-control (C&C) communication. The “downloader.sh” is an SSH worm that accepts base64-encoded configuration credentials as an argument. These credentials would either be dumped by the attacker after the initial foothold on a victim’s systems or used as a brute-force list that targets systems with weak password protection. Essentially, the malware checks if the given configuration is set to use an SSH password attack or an SSH key base attack — it can also test SSH passwords or SSH keys against the targeted IP address. Upon successful connection, the malware downloads and executes ransomware on a remote system.
Impact
- File Encryption
- Credential Theft
Indicators of Compromise
MD5
- 219202aa2355b68ee4ea61056fb13b37
- ae6eeaa09f5fa4c937928430c397b1ff
- 6b2f67ac804c04cce6b1404a27013ca2
- 43530cae846e5a334ad9fe8c0ebcd52a
- 43530cae846e5a334ad9fe8c0ebcd52a
- f64a6a99c383d72701829ae11a7deb04
- f42542edd0ab744e728e8386bd990a27
- 3402c9373726396598011ef6ec1ea243
- 8224c9faafd5f4a8678bfa511fc4b5e2
- 5c215494d938fbab70841de4a11e805e
- 9885d42b645604eac9cf8eb51356d34e
- f4ed5ca9a00b08068b8f625299e8f992
- b5b6f49805dcb7facfa1a4f88d6c9998
- 94a4295cd2d0df00c570a41663729f2b
SHA-256
- d0d3743384e400568587d1bd4b768f7555cc13ad163f5b0c3ed66fdc2d29b810
- 652ee7b470c393c1de1dfdcd8cb834ff0dd23c93646739f1f475f71a6c138edd
- 9f99cf2bdf2e5dbd2ccc3c09ddcc2b4cba11a860b7e74c17a1cdea6910737b11
- 654d19620d48ff1f00a4d91566e705912d515c17d7615d0625f6b4ace80f8e3a
- 79aee7a4459d49dc6dfebf1a45d32ccc3769a1e5c1f231777ced3769607ba9c1
- 79aee7a4459d49dc6dfebf1a45d32ccc3769a1e5c1f231777ced3769607ba9c1
- da68dc9d5571ef4729adda86f5a21d3f4478ddbae2de937f34f57f450d8a3c76
- 3bab2947305c00df66cb4d6aaef006f10aca348c17aa2fd28e53363a08b7ec68
- 0243ac9f6148098de0b5f215c6e9802663284432492d29f7443a5dc36cb9aab5
- e380c4b48cec730db1e32cc6a5bea752549bf0b1fb5e7d4a20776ef4f39a8842
- fdd8c27495fbaa855603df4f774fe86bbc21743f59fd039f734feb07704805bd
- 7a15e51e5dc6a9bfe0104f731e7def854abca5154317198dad73f32e1aead740
- c869261902a1364dd3decb2f8dce54b81621f20abd7204a427a3365c8dcc9d78
- 503276929ce5c56c626eaa5c3aca0e0160743bf3c8d415042dc3f9bb8c8b44a2
- 847d0057ade1d6ca0fedc5f48e76dd076fa4611deb77c490899f49701e87b6dd
SHA1
- e437221542112affc30e036921e4395b72fe6504
- 5b231b4d834220bf378d1a64c15cc04eca6ddaf6
- 1bea1c2715f44fbfe38c80d333dfa5a28921cefb
- ff1dd49ddc5e5777178d674baac457346edfaab3
- ff1dd49ddc5e5777178d674baac457346edfaab3
- 36407477fb8d38549015cc158f09bdff7df80f3c
- ae06fe75f220927175caa58475a743d40ca6f592
- 919b574a4d000161e52d57b827976b6d9388b33f
- 215d777140728b748fc264ef203ebd27b2388666
- 45b57869e3857b50c1d794baba6ceca2641a7cfa
- a4203ca2686ef6983f3e32b552177ffe29b53380
- 2adf0a05fa59961f221bba9317fb65528c91c74f
- d76d08b1127b40983619ff11a314d49a1473d7c4
- 26ab968b9448ebb8eb98e1fcb22ebf35174a024e
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.